Family Archivist — Privacy Policy

Issuing controller: ML Consulting MB · Vilnius, Republic of Lithuania · legal entity code 306991112

Version: 1.0

Effective from: 8 June 2026

Last updated: 8 June 2026

Privacy contact: support+familyarchivist@mlconsulting.lt

Lead supervisory authority: Valstybinė duomenų apsaugos inspekcija (VDAI), Vilnius

Backend data residency: European Union (with private EU GPU boundary for server-side AI)

Distribution: Apple App Store (Essential · Family · Family Office · Institutional) plus Object Universe collection add-on IAPs

ARCHIVAL, FIDUCIARY, CULTURAL-HERITAGE & POSTHUMOUS DISCLAIMER — READ FIRST

Family Archivist is a private, evidentiary iOS-native archive — an operating system for what a family remembers, proves, governs and passes on. It is NOT a national, regional or municipal archive within the meaning of the Republic of Lithuania Law on Documents and Archives, the U.K. Public Records Act 1958, the U.S. National Archives and Records Administration (NARA), the French Code du patrimoine, the German Bundesarchivgesetz, the Italian Codice dei beni culturali e del paesaggio, the Spanish Ley del Patrimonio Histórico or any equivalent national archive law; NOT a court of probate, court of protection, court of succession, Surrogate's Court or any other tribunal; NOT a notarial office; NOT a Qualified Trust Service Provider, eIDAS-recognised qualified electronic signature creation device, qualified electronic seal creation device, qualified electronic delivery service or qualified preservation service within the meaning of Regulation (EU) 910/2014; NOT a registry of births, deaths, marriages, divorces, civil partnerships or adoptions; NOT a UNIDROIT Convention on Stolen or Illegally Exported Cultural Objects 1995, UNESCO 1970 Convention, EU Regulation (EU) 2019/880, U.K. Dealing in Cultural Objects (Offences) Act 2003, U.S. National Stolen Property Act, Washington Conference Principles on Nazi-Confiscated Art 1998 or Native American Graves Protection and Repatriation Act (NAGPRA) clearance authority; NOT a CITES authority for ivory, tortoiseshell, rhinoceros horn, exotic taxidermy or other restricted materials; NOT a 5AMLD / 6AMLD / OFAC / EU Consolidated / U.K. OFSI / U.N. Security Council sanctions or politically-exposed-person screening; NOT a tax filing instrument; NOT a fire alarm, intrusion alarm, calibrated thermograph, calibrated dewpoint sensor, calibrated lux meter, NFPA fire-marshal instrument, building-control or planning-permission authority; and NOT a public emergency service. CALLING 112 / 911 / 999 OR THE LOCALLY APPLICABLE PUBLIC EMERGENCY NUMBER REMAINS MANDATORY whenever any person is in apparent danger of death or serious harm.

Family Archivist does NOT authenticate, attribute, valuate or render an opinion on the authenticity, attribution, condition, conservation, provenance, restitution exposure, market value, investment merit, sale timing or sale price of any Fine Art work, Watch, piece of Jewellery, Wine bottle, Whisky / Cognac / Rum / rare-spirit cask, Cigar batch, Rare Book / Manuscript / Autograph, Coin / Banknote / Stamp / Postal-History item, Vinyl pressing / Audio-Equipment item, Musical Instrument, Classic / Performance / Concours Vehicle, Yacht / Boat / Vessel, Firearm / hunting / sporting item, Antique / Heritage Furniture / Decorative-Arts piece, Textile Heritage piece, Companion Animal, Equine, Heritage Garden feature or Recipe / culinary-heritage item. Authentication, attribution and valuation authority rests exclusively with qualified, named, independent professionals — including GIA, HRD Antwerp, SSEF, AGS, Gübelin for gemstones; ILAB, ABA, PBFA, BSC for books; Christie's, Sotheby's, Phillips, Bonhams, Heritage Auctions, Dorotheum, Hampel for fine art; Antiquorum, Phillips Watches, Christie's Watches, Sotheby's Watches, the Federation of the Swiss Watch Industry FH for watches; Robert Parker / Wine Advocate, Jancis Robinson MW, Decanter, Wine Spectator, Court of Master Sommeliers, WSET, Institute of Masters of Wine for wine; PCGS, NGC, ANACS, ICG, CCG for coins; FIVA, AACA, Pebble Beach, DVLA and EU vehicle-registration authorities for vehicles; Lloyd's Register, Bureau Veritas, DNV, RINA, ABS for vessels; and the equestrian, garden, culinary and other discipline-specific bodies named in the App. Family Archivist ORGANISES and EVIDENCES; it does NOT opine, attribute, authenticate, valuate, advise, broker, trade, transact, recommend buying or selling, predict appreciation or depreciation, file with any tax authority, file with insurers, file with public registries or replace any qualified professional, fiduciary, attorney, accountant, conservator, gemologist, sommelier, horologist, dealer, auction house, classifier, registrar, notary, archivist, valuer, broker, trustee, protector, executor, custodian, guardian, surveyor, fire marshal, building-control officer or law-enforcement authority.

Apple Watch Critical Alerts, ActivityKit Live Activities, sealed-message triggers, posthumous protocols, break-glass approvals, HomeKit / Matter sensor time-series, Vision-framework outputs, Speech-framework outputs, AI-drafted Pack narratives and APNs notifications are operational notifications, advisory only. The principal, family member, trustee, protector, digital executor, advisor, fiduciary, insurer or cultural-institution recipient remains the responsible person for every authentication, attribution, valuation, fiduciary, tax, regulatory, cultural-heritage, restitution, conservation, succession, insurance, sale, gift, bequest, loan, AML, sanctions, sealed-message-release, posthumous, custodianship, child-welfare, equine-welfare, firearm-licensing, alcohol-licensing, tobacco-import, CITES, cultural-goods-import, planning-permission, fire-marshal and contractual decision at all times — independently of the App.

AT A GLANCE — what you should know in 60 seconds

We do not sell your personal data and we never will. We do not use Subscriber Data — including Evidence-Stack MediaItems (photos, video walk-arounds, audio commentary, oral-history segments, LiDAR / RoomPlan scans, AR placements, sensor time-series, document scans, PencilKit annotations and PDF/A archival masters), Object Universe records, Memory Studio voice recordings and transcripts, Living Family Tree edges, posthumous Sealed Messages, Emergency File contents, Inheritance-Readiness Map state, family-governance votes or knowledge-graph edges — to train, fine-tune, evaluate or benchmark any machine-learning model. No third-party AI provider trains, evaluates, fine-tunes or benchmarks any model on family content. Sealed (T5) content is NEVER embedded, indexed, summarised or retrieved by any AI feature.

Family Archivist is offline-aware: Object records, Evidence-Stack MediaItems, voice memos, PencilKit annotations, capture-protocol confirmations, Apple-Pencil-signed acknowledgements, Apple Watch quick captures, sensor time-series snapshots and append-only AuditEvent records are written first to on-device storage (SwiftData on iPhone and iPad, watchOS storage on Apple Watch) and synced to the EU-resident backend when connectivity returns — including from country houses, cellars, humidors, galleries, vaults, strong rooms, gardens, paddocks, stables, garages, hangars, attics, deposit boxes and locations with patchy carrier coverage.

The Family Archivist backend is hosted in the European Union. Personal data is encrypted in transit (TLS 1.2 or higher) and at rest, with per-MediaItem envelope encryption, per-tenant row-level security and signed-URL access. Server-side AI runs within a private EU GPU boundary. Cryptography is hybridised — Ed25519 / X25519 for classical and ML-KEM-768 for post-quantum on premium tiers — with explicit algorithm identifiers on every ciphertext.

We do not run advertising in the App, and we do not embed third-party advertising or tracking SDKs. The App is declared “Data Not Used to Track You” in the App Store. There is no ad model and there never will be. There are no streaks, no shareable moments, no marketing-style nudges, no anniversary reminders, no gamified memory streaks and no anxiety-triggered notifications.

Family Archivist is sold by subscription through the Apple App Store under Essential, Family, Family Office and Institutional editions, plus Object Universe collection add-on In-App Purchases (Wine Cellar, Whisky & Spirits, Cigar Humidor, Watch Collection, Jewellery, Fine Art Provenance, Rare Books, Numismatics & Philately, Vinyl & Music, Musical Instruments, Classic Vehicles, Yachts & Vessels, Firearms & Sporting — jurisdiction-gated, Antiques & Heritage Furniture, Textile Heritage, Equestrian & Companion Animals, Heritage Garden, Culinary Heritage) and bundles (Collector Bundle, Estate Bundle, Insurance Pack). Family Office and Institutional editions are additionally available under a direct Order Form with ML Consulting with concierge onboarding billed separately.

The App is NOT a public archive, NOT a notarial office, NOT a court of probate / protection / succession, NOT a Qualified Trust Service Provider under eIDAS, NOT an authentication / attribution / valuation authority for any Object Universe category, NOT a UNIDROIT 1995 / UNESCO 1970 / EU 2019/880 cultural-heritage authority, NOT a CITES authority, NOT a 5AMLD / 6AMLD / OFAC / EU Consolidated / U.K. OFSI sanctions / PEP authority, NOT a tax filing instrument, NOT a fire alarm, NOT an intrusion alarm, NOT a calibrated thermograph / dewpoint / lux instrument, NOT a planning-permission or building-control authority and NOT a public emergency service.

Passkey / Face ID / Touch ID-gated Evidence-Stack actions, Apple-Pencil-signed annotations, PencilKit markup, capture-protocol acknowledgements and biometric break-glass approvals are operational acknowledgements only — they may, depending on context, qualify as electronic signatures or advanced electronic signatures within the meaning of eIDAS; they qualify as qualified electronic signatures only where they are combined with a qualified certificate issued by a qualified trust service provider. RFC 3161 trusted timestamping is applied to premium-tier MediaItems and material-change events at ingest by an independent trusted timestamp authority.

Object, person, place, event, decision and knowledge-graph data belongs to the family. We do not share or sell this data with any third party for advertising, commercial-intelligence, valuation-benchmarking, market-research or insurance-aggregation purposes.

Family Archivist deliberately does NOT offer: AI authentication, attribution, valuation or restitution determinations on any Object; AI Holocaust-era / Nazi-confiscated / colonial-period / NAGPRA / UNIDROIT 1995 / UNESCO 1970 / EU 2019/880 restitution adjudication; AI CITES, alcohol-import, tobacco-import or firearms-licensing determinations; AI sanctions, PEP or ultimate-beneficial-owner determinations; AI tax determinations; AI fiduciary, trust, protector, executor, guardian or custodianship adjudication; AI succession, probate or matrimonial-property determinations; AI capacity, mental-health, paternity, orientation, sexuality or medical-state inferences; AI grief, mortality or estrangement-tone narrative; AI posthumous narrative attributed to a deceased person without prior signed authorisation; AI sealed-content extraction; AI sale, transaction, trade, buy, sell, drink-now-or-never or appreciation-prediction suggestions; AI re-shell, Frankenwatch, counterfeit, forgery or alteration claims; or AI behavioural / ranking / employability / blacklist / counterparty-risk profiles.

You can exercise the full set of EU GDPR rights at any time by writing to support+familyarchivist@mlconsulting.lt. Our lead supervisory authority is the Lithuanian State Data Protection Inspectorate (VDAI) in Vilnius.

Family Archivist is designed to be used by adult principals, family members and fiduciaries. Data subjects may include minors, incapacitated persons and deceased persons; minor-facing surfaces follow age-aware principles — a 16-year-old descendant is never confronted with medical files; sealed content requires an explicit “this is painful” consent step; difficult topics are surfaced in dignified language; there are no surprise death reminders or anniversary pushes.

1. About this Privacy Policy

ML Consulting MB (“ML Consulting”, “we”, “us”, “our”) is the publisher of the Family Archivist iOS / iPadOS / watchOS application (the “App”), distributed through the Apple App Store and, for the Family Office and Institutional editions, through direct Order Forms. This Privacy Policy explains what personal data the App and its related surfaces — the iPhone primary surface, the iPad cataloguing and Advisor Workspace surface, the Apple Watch glanceable / break-glass / Critical-Alert surface, the visionOS horizon surface (post-MVP), the Memory Studio, the Object Universe modules (Wine Cellar, Whisky & Spirits, Cigar Humidor, Watch Collection, Jewellery, Fine Art Provenance, Rare Books, Numismatics & Philately, Vinyl & Music, Musical Instruments, Classic Vehicles, Yachts & Vessels, Firearms & Sporting — jurisdiction-gated, Antiques & Heritage Furniture, Textile Heritage, Equestrian & Companion Animals, Heritage Garden and Culinary Heritage), the Evidence Stack with its capture protocols, the Living Family Tree, the Sealed-Message and posthumous-protocol surfaces, the Emergency File flow, the Inheritance-Readiness Map, the sensor and environmental-telemetry surface (HomeKit / Matter), the BagIt and Evidence Packet export pipeline, the six browser-accessible Counterparty Portals (Family Office / Multi-Family Office Portal, Estate Trustee / Protector / Fiduciary Portal, External Advisor Portal, Insurance Underwriter Portal, Forensic Cultural-Heritage / Provenance Reviewer Portal and Museum / Cultural-Institution Curator Portal) and the separate Concierge & Advisor Onboarding Service line — process when you use the App, why we process it, the legal bases on which we rely, with whom we share it, for how long we keep it, and the rights you have under the General Data Protection Regulation (“GDPR”) and other applicable privacy laws.

This Policy is written to satisfy Articles 12 to 14 of Regulation (EU) 2016/679 (the “GDPR”), the Republic of Lithuania Law on Legal Protection of Personal Data, Articles 7, 8 and 9 GDPR (special categories and children), Article 88 GDPR (processing in the context of employment, applied to household and concierge staff), Regulation (EU) 910/2014 (“eIDAS”) where electronic-signature and timestamping claims are concerned, Directive (EU) 2019/1937 (the “Whistleblower Directive”), Regulation (EU) 2024/1689 (the “AI Act”), EU Regulation (EU) 2019/880, UNIDROIT 1995, UNESCO 1970, the Washington Conference Principles on Nazi-Confiscated Art 1998, NAGPRA, CITES, 5AMLD, 6AMLD, EU Regulation (EU) 650/2012 (Brussels IV — succession) and the Hague Convention on the Law Applicable to Trusts and on their Recognition 1985.

Family Archivist is a premium, private, evidentiary iOS-native operating system intended for households and families that own records, artefacts, collections, memory and governance worth preserving across generations. This Policy should be read together with the Family Archivist Terms and Conditions (Master Terms + Schedule A) and, where ML Consulting acts as processor on behalf of a Family Office or Institutional tenant, the Master Data Processing Agreement (Master DPA) concluded with the principal of that tenant.

2. Controller identification

We are the data controller for the processing described as “we act as controller” in section 4 of this Policy.

Legal name: ML Consulting MB

Legal form: Mažoji bendrija (small partnership) governed by the law of the Republic of Lithuania

Legal entity code: 306991112 (Centre of Registers of the Republic of Lithuania)

Website: https://mlconsulting.lt

Privacy contact: support+familyarchivist@mlconsulting.lt

ML Consulting MB has not designated a Data Protection Officer because its current processing does not meet the criteria in Article 37(1) GDPR. The privacy contact above handles all data-protection enquiries. Family Office and Institutional tenants may, under their Master DPA, designate an internal DPO or external DPO and route family-side data-protection enquiries directly to that DPO; in such cases ML Consulting will cooperate with the designated DPO and re-route requests as instructed.

Our lead supervisory authority for the purposes of the GDPR's one-stop-shop mechanism (Article 56 GDPR) is the Lithuanian State Data Protection Inspectorate — Valstybinė duomenų apsaugos inspekcija (VDAI) — at L. Sapiegos g. 17, LT-10312 Vilnius, Lithuania, telephone +370 5 271 2804, email ada@ada.lt, website vdai.lrv.lt.

3. Scope of this Policy

This Privacy Policy applies to:

the Family Archivist iOS / iPadOS / watchOS application published by ML Consulting MB on the Apple App Store, including the iPhone primary surface, the iPad cataloguing and Advisor Workspace surface and the Apple Watch glanceable / break-glass / Critical-Alert surface, on iOS 17 (or higher) compatible devices; the visionOS horizon surface is reserved as out of MVP scope;

the Object Universe modules — Wine Cellar, Whisky & Spirits, Cigar Humidor, Watch Collection, Jewellery, Fine Art Provenance, Rare Books, Numismatics & Philately, Vinyl & Music, Musical Instruments, Classic Vehicles, Yachts & Vessels, Firearms & Sporting (jurisdiction-gated), Antiques & Heritage Furniture, Textile Heritage, Equestrian & Companion Animals, Heritage Garden and Culinary Heritage;

the Evidence Stack universal multimedia model with its capture protocols, the Memory Studio (Oral-History Studio), the Living Family Tree, the Inheritance-Readiness Map, the Emergency File, the Sealed-Message and posthumous-protocol surfaces, the Family-Governance surface, the sensor and environmental-telemetry surface (HomeKit / Matter) and the BagIt / Evidence Packet export pipeline;

the six browser-accessible Counterparty Portals — Family Office / Multi-Family Office Portal, Estate Trustee / Protector / Fiduciary Portal, External Advisor Portal, Insurance Underwriter Portal, Forensic Cultural-Heritage / Provenance Reviewer Portal and Museum / Cultural-Institution Curator Portal;

the Concierge & Advisor Onboarding Service line (operational concierge only);

user accounts, tenants, Workspaces, family-governance memberships, role assignments, subscriptions, Object Universe collection add-on In-App Purchases, onboarding sessions, support channels, billing operations and the Shamir k-of-n KEK custodianship arrangement;

the App's landing pages, help articles and documentation hosted on mlconsulting.lt that describe Family Archivist; and

email, in-application and other communications you exchange with us about the App.

Where Apple Inc. or its subsidiaries, or any other independent third party, processes personal data on its own account in connection with the App — for example, the Apple App Store, Sign in with Apple, Passkeys (WebAuthn), APNs push, ActivityKit, ClockKit, StoreKit 2, CloudKit, HomeKit / Matter, Vision, VisionKit, Speech, Core ML, ARKit / RoomPlan / LiDAR, PhotoKit, PencilKit, CryptoKit, Secure Enclave or a payment-card network — that party acts as a separate controller and its own privacy policy applies in addition to this Policy.

4. Our two privacy roles — controller and processor
4.1 We act as controller

We determine the purposes and means of processing for the following categories:

account, authentication and Passkey-derived identity data;

device, technical, telemetry and security-event data;

communications and support correspondence about the App;

billing and payment data we collect through Apple App Store In-App Purchase (Essential, Family and all Object Universe collection add-on IAPs) and from Direct-Channel Subscribing Customers via Stripe (Family Office and Institutional tier, Counterparty Portal seats, paid pilots, Concierge & Advisor Onboarding Service); and

Concierge & Advisor Onboarding Service engagement records.

4.2 We act as processor

Family Archivist operates on a Tenant / Workspace / Family-Governance model. The tenant is the family (or single-principal household) and is represented by a named Principal. The Principal — together with the family members, trustees, protectors, digital executors, accountants, general counsel, advisors, conservators, insurers, museum / cultural-institution recipients and concierge operators that the Principal authorises — uses the App to manage the Object Universe, the Living Family Tree, the Memory Studio, the Evidence Stack, the Emergency File, the Inheritance-Readiness Map, the Sealed-Message and posthumous-protocol layer, the Family-Governance layer, the sensor and environmental-telemetry surface, the Evidence Packet export pipeline, the Counterparty Portal seats and the AuditEvent stream. For that Customer Data, the Principal is the data controller and ML Consulting acts as a processor under the Master DPA, which meets the requirements of Article 28 GDPR.

In that role we process Customer Data only on the documented instructions of the Principal, except where we are required to act otherwise by EU or Lithuanian law. ML Consulting does not use Subscriber Data to train, fine-tune, evaluate or benchmark any machine-learning model, and does not disclose Subscriber Data to any third-party model provider without the express written consent of the Principal of the relevant tenant. No third-party AI provider trains, evaluates, fine-tunes or benchmarks any model on family content. Sealed (T5) content is NEVER embedded, indexed, summarised or retrieved by any AI feature — this prohibition is enforced at ingest and on every classification change.

5. Apple App Store, iOS, iPadOS, watchOS and platform context

Because the App is delivered through the Apple App Store and runs on Apple's iOS, iPadOS and watchOS platforms, several aspects of how your personal data is handled are inherited from Apple's platform. There is no Web Advisor Portal in the launch scope (replaced by signed and encrypted Evidence Packets), no Mac Catalyst app, no Android app and no web app within the scope of the MVP; visionOS is reserved as a horizon surface and is not in the launch scope.

5.1 App Privacy details on the App Store

Apple requires every application on the App Store to publish a structured summary of the data it collects (the “App Privacy details”). The App Privacy details for Family Archivist are kept consistent with this Policy. Indicatively, they declare Contact Info, User Content, Sensitive Info and, where opted-in, Diagnostics and anonymous Usage Data. Tracking is declared as None.

5.2 App Tracking Transparency

Family Archivist does not track you across other companies' applications and websites within the meaning of Apple's App Tracking Transparency framework. We do not request the App Tracking Transparency permission and we do not use the iOS Identifier for Advertisers (IDFA). The App's App Store declaration is set to “Data Not Used to Track You”.

5.3 Privacy Manifest

Family Archivist ships an Apple-required Privacy Manifest (PrivacyInfo.xcprivacy) declaring the data categories the App collects, the reasons for any use of “required reason” iOS APIs and the third-party SDKs the App depends on. The Privacy Manifest is the machine-readable counterpart of this Policy.

5.4 iOS sandbox, Data Protection, per-MediaItem envelope encryption and Secure Enclave

On-device application data is held inside the iOS application sandbox and benefits from Apple's default Data Protection. Family Archivist adds per-MediaItem envelope encryption: every MediaItem is encrypted with a per-MediaItem data-encryption key (DEK), which is itself wrapped with a tenant-scoped key-encryption key (KEK). KEK custody is held by the Principal through a Shamir k-of-n custodianship arrangement with principal-chosen custodians. Symmetric ciphers are AES-256-GCM and XChaCha20-Poly1305; asymmetric is Ed25519 for signing and X25519 for key encapsulation, hybridised with ML-KEM-768 for premium tiers; every ciphertext carries an explicit algorithm identifier (cipher-agility).

5.5 Passkeys, Sign in with Apple, email magic-link, FIDO2 hardware tokens and shared-device PIN

Family Archivist uses Passkeys (WebAuthn) as the primary authentication method; there are no passwords. Sign in with Apple is supported as an alternative. Email magic-link authentication is supported for advisors and counterparty recipients. For Family Office and Institutional editions, fiduciary and admin roles additionally support FIDO2 hardware tokens (YubiKey 5 / Bio and equivalents). Concierge operators on shared iPad cataloguing-session devices authenticate with a personal PIN (stored as a salted hash).

5.6 Face ID, PencilKit, Apple-Pencil-signed annotations — not eIDAS qualified, not authentication / attribution / valuation authority

Face ID-signed acknowledgements, PencilKit annotations, Apple-Pencil signatures, capture-protocol confirmations, voice memos and sensor-pair acknowledgements captured in Family Archivist are operational acknowledgements. They may, depending on context, qualify as electronic signatures or advanced electronic signatures within the meaning of eIDAS; they qualify as qualified electronic signatures only where they are combined with a qualified certificate issued by a qualified trust service provider. They are NOT a notarial deed, NOT a court order, NOT a Qualified Trust Service Provider attestation, NOT a public-archive accession record, NOT a tax filing, NOT a Land Registry entry, NOT an authentication / attribution / valuation determination, NOT a CITES / UNIDROIT / UNESCO / EU 2019/880 / Washington / NAGPRA clearance, NOT a sanctions / PEP screening and NOT a planning-permission approval.

5.7 Apple Watch — glanceable, break-glass and Critical Alert surface

The watchOS companion hosts only justified, dignified interactions. There are no marketing-style nudges, no anniversary reminders and no anxiety triggers. Apple Watch surfaces include: ClockKit complications for one-tap “Open Emergency File” (biometric-gated), one-tap 90-second voice memo, cellar / humidor / gallery temperature glance for paired Storage Locations; APNs Critical Alerts ONLY on user-set sensor thresholds and break-glass approvals; ActivityKit Live Activities for long-running ingest jobs, sealed-message countdowns and break-glass delay windows. The Watch is not a calibrated thermograph, dewpoint sensor, lux meter, fire alarm, intrusion alarm, security-monitoring service or 112 / 911 / 999 button.

5.8 HomeKit / Matter — environmental telemetry and sensor anomaly logic

HomeKit / Matter-paired environmental sensors (temperature, humidity, light, door-open) attached to Storage Locations — cellars, humidors, galleries, strong rooms, vaults, wardrobes — write to MediaItem.kind = sensor_timeseries. Anomaly logic is three-state: routine (show in daily summary only); attention (non-critical visible status, no push); breach (Critical Alert on Apple Watch when the user-set threshold is exceeded for the user-set duration). Sensor time-series are not a calibrated metrology instrument and not a fire / smoke / gas / water / intrusion alarm.

5.9 VisionKit — document scanning and on-device OCR

Family Archivist uses Apple's VisionKit document-scanner and the Vision framework on-device for document scanning, OCR and capture-protocol validation. VisionKit and Vision processing run locally on your iPhone or iPad and do not transmit the underlying document image or extracted text to any third-party AI provider as a result of these features.

5.10 ARKit / RoomPlan / LiDAR / USDZ — room and object scans

Family Archivist uses Apple's ARKit, RoomPlan and LiDAR frameworks on supported iPhone Pro and iPad Pro models to capture room scans and USDZ / glTF object scans. Scans are processed locally on your iPhone or iPad. Scans are NOT calibrated dimensional metrology, NOT a structural-survey instrument, NOT a building-control or planning-permission authority and NOT a conservation-authority determination.

5.11 Speech, NaturalLanguage and Core ML — Memory Studio and on-device embeddings

Family Archivist uses Apple's Speech framework on-device for first-pass dictation of Memory Studio voice memos, oral-history segments, capture-protocol commentary and Sealed-Message drafting. Core ML is used on-device for embeddings of T1 and T2 content and for cosine-similarity oral-history retrieval. Sealed (T5) content is NEVER embedded — enforced at ingest and on every classification change.

5.12 ActivityKit, APNs, EventKit, WidgetKit, App Intents, BackgroundTasks, StoreKit 2, Focus Filter API and ClockKit

Family Archivist relies on a number of Apple frameworks: APNs Time-Sensitive (operational only, sober, never marketing); ActivityKit Live Activities; EventKit (optional writes to Apple Calendar); WidgetKit (Lock Screen / Home Screen widgets); App Intents and AppShortcuts (Siri-discoverable shortcuts); BackgroundTasks (BGTaskScheduler — offline-aware ingest); StoreKit 2 (Apple App Store In-App Purchase); the Focus Filter API; ClockKit (Apple Watch complications).

5.13 Counterparty Portals — Evidence Packet delivery

Family Archivist can issue scoped read-only seats to six browser-accessible Counterparty Portals. Counterparty Portals are served by Family Archivist' EU-resident backend, are scoped to records the Principal expressly selects, respect classification-tier metadata (T5 sealed content is NEVER exposed), default to pseudonymising worker and dependant identifiers, default to redacting child-facing material from any advisor / insurer / dealer view, expire on a deadline set by the Principal and are revocable at any time. Every Evidence Packet delivered through a Counterparty Portal is signed, hash-verified end-to-end, watermarked with the recipient identity, time-stamped with an RFC 3161 trusted timestamp (premium tiers) and accompanied by a cover memo.

5.14 App Privacy Report

iOS 15.2 and later provide an in-operating-system App Privacy Report that lets you inspect the sensors, data categories and network domains the App has accessed.

6. Key terms used in this Policy

Personal data — any information relating to an identified or identifiable natural person, as defined in Article 4(1) GDPR.

Processing — any operation performed on personal data, including collection, recording, organisation, storage, use, disclosure and erasure.

Controller — the person who determines the purposes and means of processing.

Processor — a person who processes personal data on behalf of a controller.

Tenant — a single Family Archivist customer instance, typically corresponding to one family.

Principal — the natural person responsible for the Tenant.

Authorised User — a natural person authorised by the Principal to access the App, including family members, minors, newly-major family members, spouses, former spouses (time-bounded), trustees, protectors, general counsel, accountants (purpose-bound), digital executors, advisors and Counterparty Portal recipients.

Workspace — a logical subdivision of a Tenant.

Object Universe — the structured, category-aware atlas of every artefact the family preserves.

Evidence Stack — the first-class media-bearing container attached to any Entity. Each Evidence-Stack item (a MediaItem) is independently hashed (SHA-256 + BLAKE3), versioned, classified, signed and back-edge-linked.

MediaItem — a single multimedia evidence item: photo, video walk-around, audio commentary, oral-history segment, LiDAR / RoomPlan / USDZ / glTF scan, AR placement, document scan, PencilKit annotation, sensor time-series snapshot, PDF/A archival master or JSON-LD metadata.

Capture protocol — a versioned, iPhone-first guided flow that ensures a MediaItem has the right metadata, angles, consent and linking.

Memory Studio — the Oral-History Studio surface for capturing structured voice and video recordings.

Living Family Tree — the genealogical, governance and inheritance graph linking Persons, Objects, Places, Events and Decisions across generations.

Sealed Message — a posthumous, incapacity-triggered or date-triggered communication. Sealed (T5) content is NEVER embedded, indexed, summarised or retrieved by any AI feature.

Posthumous protocol — the structured succession, custodianship and key-recovery flow that releases sealed content, transfers custody of Object Universe collections and discharges the Inheritance-Readiness Map on death, incapacity or governance change.

Emergency File — the principal-curated, printable, encrypted summary of critical information needed by family and fiduciaries in an emergency.

Inheritance-Readiness Map — the per-tenant index of how complete the canonical record is for succession purposes.

Counterparty Portal — a web-link surface offering scope-correct read-only seats to one of six counterparty types: Family Office / Multi-Family Office, Estate Trustee / Protector / Fiduciary, External Advisor, Insurance Underwriter, Forensic Cultural-Heritage / Provenance Reviewer and Museum / Cultural-Institution Curator.

Evidence Packet — a signed, encrypted, watermarked, hash-verified bundle of Customer Data delivered to a Counterparty Portal recipient or exported as a BagIt set.

AuditEvent — the per-tenant append-only event log of every actor, purpose, scope, time, device, factor, outcome, prev_hash and new_hash.

Classification tiers (T1 to T5) — Family Archivist classifies every Entity and every MediaItem from T1 (public family) through T5 (sealed). T5 sealed content is never embedded, indexed, summarised or retrieved by AI features.

Shamir k-of-n custodianship — the principal-chosen key-recovery arrangement for the per-tenant KEK.

RFC 3161 trusted timestamp — premium-tier MediaItems and material-change events are anchored by an external independent trusted timestamp authority.

Concierge & Advisor Onboarding Service — operational concierge only; NOT a notarial, archival, fiduciary, legal-advice, tax-advice, valuation, authentication, restitution, AML / sanctions, fire-marshal, security or emergency-dispatch service.

On-device — data stored or processed locally on the user's iPhone, iPad or Apple Watch inside the iOS / watchOS application sandbox.

Backend — Family Archivist' EU-resident server-side service, with all server-side AI executing within a private EU GPU boundary.

Sub-processor — a third-party service provider that processes personal data on our behalf.

EEA — the European Economic Area, comprising the EU Member States, Iceland, Liechtenstein and Norway.

VDAI — Valstybinė duomenų apsaugos inspekcija, the Lithuanian State Data Protection Inspectorate, our lead supervisory authority.

7. Personal data we process

We collect only the data we reasonably need to operate, secure, support and improve the App. The categories below describe what Family Archivist processes; not every Tenant, Workspace, Person, Object Universe collection or Module will involve every category.

7.1 Account and authentication data

Name, email address, account identifier, authentication method (Passkey / WebAuthn, Sign in with Apple, email magic-link, FIDO2 hardware token or shared-device PIN), Apple-issued relay address where you used “Hide My Email”, Tenant and Workspace membership, role and permissions. We do not store passwords; Passkey authentication is WebAuthn; magic-link authentication uses one-time signed links; shared-device PINs are salted-hashed.

7.2 Device, technical and telemetry data

IP address (typically truncated for analytics), device model and operating-system version (iOS, iPadOS, watchOS), App version, language and timezone, pseudonymised interaction events, crash reports, performance traces and security-relevant events such as failed log-ins, failed PIN attempts, biometric gate attempts and Passkey assertion failures.

7.3 Communications and support data

The content and metadata of any email, support ticket, in-app help message, demo request, onboarding call note, Concierge & Advisor Onboarding Service correspondence, sealed-message custody enquiry, posthumous-protocol enquiry, Inheritance-Readiness Map enquiry or capture-protocol enquiry, including any attachments you choose to send.

7.4 Billing and payment data

For App Store subscriptions and IAPs: the Apple-supplied subscription / IAP identifier, the tier / module selected, renewal state and the App Store-controlled refund-and-cancellation rules apply (Apple Inc. is the merchant of record). We do not receive your payment-card data through the App Store path. For Direct-Channel subscriptions (Family Office and Institutional editions, Counterparty Portal seats, paid pilots and Concierge & Advisor Onboarding Service): invoicing entity name, registered address, VAT identifier, signatory contact, Order Form record, payment-status data, bank-transfer reference and the last four digits of the payment card where card payment is used through Stripe. We do not store full payment-card numbers; payment-card data is processed by Stripe.

7.5 Customer Data (we are processor)

Object Universe records (Fine Art, Wine, Whisky / Spirits, Cigars, Watches, Jewellery, Rare Books, Numismatics & Philately, Vinyl, Musical Instruments, Classic Vehicles, Yachts, Firearms — jurisdiction-gated, Antiques, Textile Heritage, Companion Animals and Equestrian, Heritage Garden, Recipes) with category-specific metadata; Evidence-Stack MediaItems; Person records; Place records; Event records; Decision records; Memory Studio voice and video recordings with on-device first-pass transcripts; Living Family Tree edges; Sealed Messages with trigger schedules; Emergency File contents; Inheritance-Readiness Map state; Family-Governance votes; Shamir k-of-n share custodianship arrangements (custodians, threshold, share metadata — never the share itself); Evidence Packets and BagIt exports; and the append-only AuditEvent log.

7.6 Special-category and sensitive data (Article 9 GDPR — incidental and lawfully recorded)

Family Archivist is not designed to collect special-category data within the meaning of Article 9 GDPR by default, but families lawfully choose to record special-category data in restricted T3 / T4 Workspaces (medical preferences in the Emergency File; religious affiliation in genealogical records; trade-union membership in CVs; sexual orientation in oral-history segments where a family member chooses to record this; political opinion in oral-history segments; biometric photographs in identity-document copies; genetic data where a family chooses to record genealogical DNA test results). The Principal warrants that they have a lawful Article 9 basis for storing such data in Family Archivist. Biometric authentication (Face ID / Touch ID) is performed by Apple's LocalAuthentication framework and biometric data never leaves the device.

7.7 Minor and incapacitated-person data

Where a Principal records personal data of a minor or an incapacitated person: the minor's or incapacitated person's name, date of birth, relationship to the Principal, branch, role (descendant, beneficiary, sealed-message recipient), and any Evidence-Stack MediaItems in which they appear. The descendant interface is age-aware: a 16-year-old descendant is never confronted with medical files; sealed content requires an explicit “this is painful” consent step; difficult topics surface in dignified language; there are no surprise death reminders or anniversary pushes.

7.8 Deceased-person data

Where a Principal records personal data of a deceased family member or other person: the deceased person's name, dates, relationship, branch, every Evidence-Stack MediaItem in which they appear and every oral-history segment that names them as narrator or subject. The App does not generate posthumous narratives attributed to a deceased person unless that person, during their lifetime, expressly authorised the narrative in a signed Sealed Message or Memory Studio recording.

7.9 Counterparty Portal recipient data

Where the Principal enables a Counterparty Portal seat: the recipient's organisation, name, email or other contact details, role, the scope of records the seat exposes, the expiry, the activity log and the revocation state.

7.10 Sensor and environmental-telemetry data (HomeKit / Matter)

Where the Principal has paired HomeKit / Matter sensors to a Storage Location: time-series of temperature, humidity, light and door-open events, hash-fixed daily and anchored into the Evidence Stack of the parent Storage Location. Not a calibrated metrology instrument; not a fire / smoke / gas / water / intrusion detector; not a security-monitoring service.

7.11 Backend AI helper inputs and outputs (paid opt-in add-on)

Where the Principal has enabled the backend AI add-on: the OCR-extracted text sent for Claude-class capture-protocol narrative drafting; the audio clip sent for Whisper-class long-form transcription; the structured text sent for Evidence Packet narrative drafting; the imported provenance documents sent for Claude-class provenance-timeline drafting (Fine Art only, with mandatory human review of restitution-window flags); and the generated draft outputs in each case. T3, T4 content is minimised or excluded from transmission unless the Principal expressly enables that flow. Sealed (T5) content is NEVER transmitted, NEVER embedded and NEVER indexed under any circumstance. All server-side AI executes within the private EU GPU boundary. AI-drafted narratives carry a “Draft — review before sharing” watermark until the Principal or a named fiduciary explicitly finalises.

7.12 What we do not collect

To remove ambiguity, Family Archivist does not collect:

the contents of your Apple Contacts, the wider Apple Calendar, your photo library beyond images you actively import, or any HealthKit data;

data from any public archive, court of probate, court of protection, court of succession, family court, divorce tribunal, arbitration tribunal, notarial office, Qualified Trust Service Provider, registry, Land Registry, Centre of Registers, Companies House, tax authority, Art Loss Register, Interpol Stolen Works of Art Database, FIVA, UELN, breed-society registry, classification society, fire-marshal, planning-permission authority, building-control authority or sanctions / AML / PEP screening provider;

behavioural-advertising identifiers; we do not run advertising, do not use the IDFA and do not share data with advertising networks;

analytics, attribution or crash-reporting data through any third-party SDK that has not been disclosed in this Policy and in the App's Privacy Manifest;

continuous background-location data; event-based location capture (where enabled) is recorded at the moment of a saved MediaItem only;

any behavioural, ranking, employability, blacklist, counterparty-risk, advisor-quality, dealer-quality, auction-house-quality, conservator-quality, sommelier-quality, horologist-quality, vet-quality or family-member profile.

8. How we collect personal data

We collect personal data in three ways:

1. Directly from you — when you create an account, complete a form, install or use the App, scan a document, photograph an object under a capture protocol, capture a LiDAR / RoomPlan scan, attach a video walk-around, dictate a Memory Studio recording, annotate with PencilKit and Apple Pencil, sign an acknowledgement with Face ID / Touch ID, pair a HomeKit / Matter environmental sensor, draft a Sealed Message, designate a custodian for the Shamir k-of-n key recovery, complete the Emergency File, generate an Evidence Packet, open a Counterparty Portal share link, contact support or subscribe to a communication.

2. Automatically through your use of the App — when the App generates technical, telemetry, security or computational data necessary to deliver, secure or improve the service, and when Apple platform services supply data linked to your action.

3. From third parties — when Apple supplies us with the result of Sign in with Apple or a Passkey assertion, when the App Store delivers an In-App Purchase result, when a HomeKit / Matter sensor manufacturer supplies sensor telemetry, when the RFC 3161 trusted timestamp authority returns a timestamp token, when a Principal invites you to a Workspace or Counterparty Portal seat, when Stripe confirms a Direct-Channel payment, when a recipient opens a Counterparty Portal seat, or when an authority lawfully provides information in connection with a regulatory matter.

9. Why we process personal data and our legal bases

For each processing activity we rely on a lawful basis under Article 6(1) GDPR.

9.1 Performance of a contract (Article 6(1)(b))

Provide and operate the App and Counterparty Portal surfaces.

Process payments and manage billing through Apple App Store and Stripe.

On-device Core ML embeddings (for T1 / T2 content only) and on-device retrieval.

Face ID / Touch ID gating of high-consequence operations.

Issue, serve and revoke Counterparty Portal seats and Evidence Packets.

Operate the Concierge & Advisor Onboarding Service line.

RFC 3161 trusted timestamping for T4 / T5 MediaItems and material-change events.

Send service messages.

9.2 Consent (Article 6(1)(a))

Camera, microphone, photo-library, Speech-recognition, NFC and HomeKit access via the iOS prompts.

Optional event-based location identification.

APNs Time-Sensitive push, ActivityKit Live Activities, WidgetKit and Apple Watch ClockKit complications.

Optional EventKit writes to Apple Calendar.

Focus Filter API filtering.

Backend AI add-on enablement by the Principal.

9.3 Compliance with a legal obligation (Article 6(1)(c))

Statutory accounting and tax retention under Lithuanian law.

Respond to data-subject requests and operate the GDPR rights workflow.

Comply with legal, regulatory, fiduciary, succession, AML / sanctions, cultural-heritage, CITES, tax and law-enforcement obligations.

9.4 Legitimate interests (Article 6(1)(f))

Secure the App; prevent fraud, abuse, evidence tampering, signature forgery, sensor-data tampering, Sealed Message tampering and unauthorised access.

Improve the App; conduct privacy-respecting product analytics (opt-in).

Provide customer support and respond to enquiries.

Defend or pursue legal claims, including evidence disputes, sealed-content disputes, posthumous-protocol disputes, succession disputes, AML / sanctions investigations, cultural-heritage restitution claims and CITES investigations.

Where we rely on legitimate interests under Article 6(1)(f) GDPR, we have carried out and documented a balancing assessment. Where we rely on consent under Article 6(1)(a) GDPR, you may withdraw it at any time without affecting the lawfulness of processing carried out before the withdrawal.

10. Offline-aware architecture, on-device storage and EU-resident backend

Family Archivist is offline-aware. Records are written first to on-device storage (SwiftData on iPhone and iPad, watchOS storage on Apple Watch) inside the iOS / watchOS application sandbox. Records sync to the Family Archivist backend through the EU-resident managed Postgres and signed-URL object storage when connectivity returns.

The backend is hosted in the European Union. Personal data is encrypted in transit (TLS 1.2 or higher) and at rest with per-MediaItem envelope encryption. Records and files are isolated per Tenant and Workspace using row-level security and signed-URL access. Server-side AI executes within a private EU GPU boundary. RFC 3161 trusted timestamping is applied to premium-tier MediaItems and material-change events at ingest by an independent trusted timestamp authority.

11. Tenants, Workspaces, family governance and Counterparty Portal recipients

Family Archivist is operated on a Tenant / Workspace / Family-Governance model. The Principal may invite family members, fiduciaries, advisors and concierge operators; configure roles; view activity inside the Workspace; generate Evidence Packets; issue Counterparty Portal seats; configure retention; designate Shamir k-of-n custodians; draft Sealed Messages; configure posthumous protocols; and run the Inheritance-Readiness Map.

11.1 Worker monitoring under Article 88 GDPR (household and concierge staff)

Because Face ID-signed acknowledgements, PencilKit annotations, Apple-Pencil signatures, Memory Studio recordings, capture-protocol metadata and append-only AuditEvent entries can constitute employee monitoring of household and concierge staff in many EU jurisdictions, the Principal is responsible for satisfying the worker-monitoring obligations of every jurisdiction in which the relevant Storage Location or Workspace operates. This includes Article 88 GDPR; the Republic of Lithuania Labour Code; the French Code du travail; the German Betriebsverfassungsgesetz; the Italian Statuto dei lavoratori; and any applicable household-staff collective bargaining agreement.

11.2 Cultural-heritage, CITES, AML / sanctions, PEP and beneficial-ownership responsibility

The Principal remains the responsible person for every cultural-heritage, restitution, CITES, AML, sanctions, PEP and beneficial-ownership decision affecting the Object Universe. No App output constitutes a Holocaust-era / NAGPRA / UNIDROIT 1995 / UNESCO 1970 / EU 2019/880 / U.K. Dealing in Cultural Objects (Offences) Act 2003 / Washington Conference Principles restitution adjudication; CITES, alcohol-import, tobacco-import or firearms-licensing determination; sanctions / PEP / ultimate-beneficial-owner determination; tax filing or domicile determination; notarial deed; Qualified Trust Service Provider attestation; Land Registry entry; court order; or insurance underwriting decision.

11.3 Children, descendants and the descendant interface

Family Archivist processes data of minors as descendants, beneficiaries, sealed-message recipients and Living Family Tree subjects. The descendant interface is age-aware: a 16-year-old descendant is never confronted with medical files; sealed content requires an explicit “this is painful” consent step; difficult topics are surfaced in dignified language; there are no surprise death reminders or anniversary pushes. The Principal is responsible for the lawful basis under Articles 6, 8, 9 and 88 GDPR. Minor-facing material is redacted by default from any advisor / insurer / dealer / cultural-institution Evidence Packet.

11.4 Posthumous protocols, Sealed Messages, Shamir k-of-n custodianship and the Inheritance-Readiness Map

Family Archivist implements posthumous protocols (release on verified death, incapacity, age threshold, date threshold or event threshold), Sealed Messages with trigger schedules, Shamir k-of-n custodianship (principal-chosen custodians, principal-chosen threshold; shares stored on custodian devices, never on ML Consulting infrastructure), the Emergency File and the Inheritance-Readiness Map. Posthumous protocols and Sealed Messages are bound by classification tier — T5 sealed content is never embedded, indexed, summarised or retrieved by any AI feature. Death and incapacity are not verified by ML Consulting; verification is the responsibility of the principal-chosen custodians under the underlying contract and the applicable EU Regulation (EU) 650/2012 (Brussels IV), Hague Trust Recognition Convention and national probate / succession law.

11.5 Counterparty Portal recipients and Evidence Packet delivery

Where the Principal enables a Counterparty Portal seat, the Principal is responsible for: limiting the seat scope to records the recipient actually needs; setting an appropriate expiry; honouring the classification-tier metadata (T5 NEVER exposed; T4 minimised by default); redacting minor-facing material by default; pseudonymising household-staff, dependant and Counterparty Portal recipient identifiers; respecting the rules of professional secrecy; and informing the recipient that the seat delivers a read-only operational record only — not an authentication, attribution, valuation, restitution, CITES, AML, sanctions, tax, court-of-justice, notarial or Qualified Trust Service determination.

12. Recipients of personal data

We share personal data only with the categories of recipients listed below, and only to the extent necessary for the purpose. We do not sell personal data, and we do not “share” personal data for cross-context behavioural advertising as that term is defined under California law. We do not share or sell Object Universe, Person, Place, Event, Decision, Evidence-Stack, Memory Studio, Living Family Tree, Sealed Message, Emergency File, Inheritance-Readiness Map or Family-Governance data with any third party for advertising, commercial-intelligence, valuation-benchmarking, market-research, insurance-aggregation, genealogical-aggregation or any other secondary purpose.

Categories of recipients:

Apple Inc. and Apple Distribution International Limited — App Store distribution, Sign in with Apple, Passkeys, APNs, ActivityKit, ClockKit, Vision / VisionKit / Speech / NaturalLanguage / Core ML / PhotoKit / PencilKit / ARKit / RoomPlan / LiDAR / CryptoKit / Secure Enclave / HomeKit / Matter, iCloud and CloudKit where used, StoreKit 2 In-App Purchase. Independent controller for App Store-side and Apple-platform-side processing.

EU-resident backend hosting provider (managed Postgres and signed-URL object storage) — host the Family Archivist backend with per-MediaItem-envelope-encrypted storage, row-level security per Tenant and Workspace, scheduled jobs and Counterparty Portal serving. Sub-processor under written terms; data hosted in the EU.

Workflow orchestration provider — run scheduled jobs including long-running ingest, sealed-message countdown, break-glass delay window, sensor-breach Critical Alert, RFC 3161 anchoring, daily Merkle-root hash-anchoring, fixity check, Annual Preservation Review, Inheritance-Readiness Map index, posthumous-protocol state transitions and Evidence Packet assembly. Sub-processor under written terms.

Payment provider — Stripe (Direct Channel) — process Direct-Channel payments for the Family Office and Institutional editions, Counterparty Portal seats, paid pilots and the Concierge & Advisor Onboarding Service. We do not store full payment-card numbers. Subscriptions purchased through the Apple App Store are processed by Apple Inc., not by Stripe. Independent controller for payment-card processing; sub-processor for billing data.

Email-delivery provider — service messages, magic-link authentication emails, support replies, onboarding communications and Counterparty Portal share-link emails. Sub-processor under written terms.

Anonymised product-analytics, monitoring and crash-reporting providers — privacy-respecting product analytics (Firebase Crashlytics service); pseudonymised where feasible; opt-in for Diagnostics and Usage Data; never on identifiable T3 / T4 / T5 content, Sealed Messages, Emergency File contents, posthumous protocols or minor-facing material. Sub-processors under written terms; used only after consent where required.

Voice-transcription provider (backend Whisper-class long-form, paid add-on, within the private EU GPU boundary) — refine on-device first-pass transcripts of Memory Studio long-form recordings, where the Principal has enabled the AI add-on. T5 NEVER transmitted. Sub-processor under written terms; inputs and outputs are not used to train any third-party model.

Language-model provider (Anthropic — Claude-class capture-protocol narrative drafting, Evidence Packet narrative drafting and Fine-Art provenance-timeline drafting, paid add-on, within the private EU GPU boundary) — generate AI-drafted narratives. T5 NEVER transmitted. AI-drafted narratives carry a “Draft — review before sharing” watermark. Sub-processor under written terms; inputs and outputs are not used to train, fine-tune, evaluate or benchmark any third-party model.

Independent RFC 3161 trusted timestamp authority (TSA) — anchor premium-tier MediaItems and material-change events at ingest. The TSA receives the canonical-serialisation hash only — never the MediaItem content itself.

HomeKit / Matter sensor manufacturers (where the Principal pairs a sensor) — manufacture, supply and maintain the paired sensors. Independent controllers in their own right.

Professional advisers to ML Consulting (lawyers, accountants, auditors, insurers) — legal, tax, audit, insurance, cultural-heritage, AML / sanctions, employment and Concierge & Advisor Onboarding Service advice on a need-to-know basis. Independent controllers under their own duties of confidence.

Authorities, courts, regulators and law-enforcement — where we are required by law, court order or a binding regulatory request, including the VDAI, the Lithuanian State Tax Inspectorate, the Centre of Registers, the Special Investigation Service (STT), OLAF, the European Commission, the Court of Justice of the European Union, national courts and arbitration tribunals, cultural-heritage regulators, restitution registries, CITES management authorities, AML / sanctions / PEP authorities and the data-protection / law-enforcement authorities of the EU Member States, the UK, the US, Switzerland and other jurisdictions. Independent controllers acting under their statutory powers.

Successor entity — in the context of a merger, acquisition, restructuring or sale of assets, subject to confidentiality safeguards. Independent controller after the transaction closes.

References in the App to fine-art auction houses, watch authorities, gemological laboratories, book trade bodies, wine authorities, numismatic and philatelic graders, vinyl authorities, antique trade bodies, vehicle authorities, maritime classification societies, equestrian bodies, cultural-heritage regulators, forensic restitution registries, tax authorities, professional bodies and dealer associations are descriptive only. None of those bodies endorses, certifies, audits, accredits, authenticates, valuates or warrants the App or any Evidence Packet, and none is a sub-processor, recipient or party to this Policy by virtue of being named.

A current list of our sub-processors, together with the country in which each provider operates, is published at mlconsulting.lt/legal/sub-processors and is updated when the list changes. Each sub-processor we engage is bound by a written contract that imposes the data-protection obligations required by Article 28 GDPR (or equivalent contractual safeguards), with explicit prohibitions on the use of Subscriber Data for AI-model training, fine-tuning, evaluation or benchmarking.

13. International data transfers

ML Consulting MB is established in Lithuania and hosts the Family Archivist backend in the European Union, with server-side AI executing within a private EU GPU boundary. Personal data is encrypted in transit and at rest, with per-MediaItem envelope encryption, and we aim to keep personal data — particularly T3 / T4 / T5 content, Sealed Messages, Emergency File contents, Inheritance-Readiness Map state and minor-facing material — within the European Economic Area by default. Some of our sub-processors and the global infrastructure of Apple Inc., Stripe and the language-model / voice-transcription add-on providers may process data in the United States or other regions where they operate.

Where personal data is transferred outside the EEA or the United Kingdom to a country that has not been the subject of an adequacy decision under Article 45 GDPR, we rely on one or more of the safeguards required by Chapter V GDPR, in particular:

European Commission adequacy decisions, including the EU-US Data Privacy Framework where the recipient is certified under it;

the European Commission's Standard Contractual Clauses (Module Two — controller to processor — and Module Three — processor to sub-processor), with the UK International Data Transfer Addendum or the UK International Data Transfer Agreement for transfers from the United Kingdom, and supplementary measures consistent with the European Data Protection Board's recommendations;

additional technical measures including TLS 1.2 or higher, per-MediaItem envelope encryption at rest, hybridised Ed25519 / X25519 + ML-KEM-768 signing and key encapsulation on premium tiers, and contractual and organisational measures appropriate to the multi-generational time horizon over which the canonical record is preserved; and

any other lawful transfer mechanism under Articles 46 to 49 GDPR.

14. Automated decision-making, on-device ML and backend AI
14.1 No solely-automated decisions with legal or similarly significant effects

We do not subject you to decisions producing legal effects concerning you or similarly significantly affecting you that are based solely on automated processing within the meaning of Article 22 GDPR. Where any aspect of a decision affecting you is informed by automated logic, a human reviewer named in the Tenant's Workspace — Principal, family member, fiduciary, advisor or named expert — is meaningfully involved in the outcome.

14.2 Explicit AI exclusions

Family Archivist does NOT offer:

AI authentication, attribution, valuation, condition, conservation, drinking-window, vintage, cuvée, movement-originality, re-shell or Frankenwatch, gemological grading, bibliographic edition, pressing-grade, FIVA passport, registry status, flag-state classification or breed-society-registry determinations on any Object Universe item;

AI Holocaust-era / Nazi-confiscated / colonial-period / NAGPRA / UNIDROIT 1995 / UNESCO 1970 / EU 2019/880 / U.K. Dealing in Cultural Objects (Offences) Act 2003 / Washington Conference Principles / Nicosia Convention restitution adjudications;

AI CITES, alcohol-import, tobacco-import or firearms-licensing determinations (the Firearms Module is jurisdiction-gated and is never a transaction product);

AI sanctions / PEP / ultimate-beneficial-owner / source-of-wealth determinations;

AI tax / HMRC / IRS / VMI or domicile determinations;

AI fiduciary, trust, protector, executor, guardian, custodianship, succession, probate or matrimonial-property adjudications;

AI capacity, mental-health, paternity, orientation, sexuality, medical-state, fertility, pregnancy or other special-category inferences without explicit per-item confirmation by the Principal or the data subject;

AI grief, mortality, estrangement or anniversary-tone narrative — emotionally manipulative language around death, grief, estrangement or mortality is explicitly prohibited;

AI posthumous narrative attributed to a deceased person without that person's prior signed authorisation during their lifetime;

AI sealed-content extraction, summary, index or retrieval — sealed (T5) content is NEVER embedded, indexed, summarised or retrieved by any AI feature;

AI sale, transaction, trade, buy, sell, drink-now-or-never or appreciation / depreciation prediction suggestions — Family Archivist NEVER recommends selling, buying, drinking-now-or-never or acting before an Object appreciates;

AI re-shell, Frankenwatch, counterfeit, forgery or alteration claims on any object — only flagged for qualified human review;

AI behavioural, ranking, employability, blacklist, counterparty-risk, advisor-quality, dealer-quality, auction-house-quality, conservator-quality, sommelier-quality, horologist-quality, vet-quality or family-member profiles; or

AI marketing-tier notifications about collections — a wine collector is never nudged to “add three more bottles to unlock”.

14.3 On-device Speech / NaturalLanguage / Vision / VisionKit / Core ML / PhotoKit / PDFKit / RoomPlan / LiDAR

The App includes on-device Speech-framework first-pass dictation, on-device NaturalLanguage language detection, on-device VisionKit document-scanner OCR, on-device Vision capture-protocol validation, on-device Core ML embeddings (for T1 / T2 content only — sealed T5 NEVER embedded), on-device PhotoKit photo-recognition, on-device PDFKit direct text extraction, on-device ARKit / RoomPlan / LiDAR room and object scans and on-device cosine-similarity oral-history retrieval. These run locally on your iPhone or iPad and the input is not transmitted to any third-party AI provider as a result of these features. Outputs are advisory; below a configurable confidence threshold, the App surfaces a “needs human review” badge and does not auto-publish the affected value.

14.4 Backend AI add-on — opt-in, never autonomous, within the private EU GPU boundary

The App may include an opt-in, paid backend AI add-on with the following components, all of which execute within the private EU GPU boundary: Whisper-class voice transcription for longer-form Memory Studio audio; Claude-class capture-protocol narrative drafting; Claude-class Evidence Packet narrative drafting; and Claude-class Fine-Art provenance-timeline drafting (with mandatory human review of restitution-window flags). The add-on is off by default and is activated only when the Principal explicitly enables it in Settings.

Where the backend AI add-on is enabled:

AI output is editable text only and requires explicit human confirmation by a named reviewer before persistence, export, Evidence Packet inclusion or Counterparty Portal sharing;

raw input is always retained alongside any AI-structured output, so you can audit and override;

AI never auto-publishes an Object record, a Living Family Tree edge, a Sealed Message, an Emergency File entry, an Inheritance-Readiness Map check-off, a posthumous-protocol release, a Counterparty Portal seat, an Evidence Packet, an AuditEvent entry or a Family-Governance vote;

AI-drafted narratives carry a “Draft — review before sharing” watermark until the Principal or a named fiduciary explicitly finalises;

retrieval-augmented generation requires citations on every answer — citation-less responses are rejected by the UI;

inputs and outputs are not used by ML Consulting or by any sub-processor to train, fine-tune, evaluate or benchmark any third-party model;

T3 / T4 content is minimised or excluded from transmission unless the Principal expressly enables that flow; T5 sealed content is NEVER transmitted, NEVER embedded and NEVER indexed under any circumstance;

the Principal may disable the add-on at any time in Settings; on disablement, server-side embeddings are purged.

14.5 EU AI Act readiness

We design and operate AI features to be compatible with applicable obligations under Regulation (EU) 2024/1689 (the Artificial Intelligence Act), including transparency, logging, AiExtractionRun-equivalent versioning, model-change-control through the AuditEvent log, quarterly internal red-teaming and annual external red-teaming, and human-oversight requirements appropriate to the risk classification of the relevant feature. None of our current AI features is, or is held out as, a high-risk AI system within the meaning of Annex III of the AI Act.

15. How long we keep personal data

Family Archivist is designed for century-scale legibility — the canonical record is intended to be preserved across multiple generations. We keep personal data only for as long as we need it for the purpose for which it was collected, or as required by applicable law, or as the Principal has configured.

Account and authentication data: lifetime of the account; in any case deleted or anonymised within 24 months of complete inactivity, save where statutory retention applies or the Principal has configured a longer multi-generational retention.

On-device application data (iPhone, iPad, Apple Watch): held on your device for as long as you keep it; included in iCloud Backup if you have it enabled. Removed by the operating system on App deletion.

Telemetry, capture-duration and service-operation data: pseudonymised at collection where feasible; retained in identifiable form for a maximum of 13 months; aggregated or anonymised data may be retained indefinitely.

Communications, support and Concierge & Advisor Onboarding Service correspondence: up to 24 months from the close of the last related correspondence; longer where the matter relates to a complaint, dispute, investigation, regulatory matter or legal claim until the matter is resolved plus the applicable limitation period.

Billing, accounting and tax records: up to 10 years from the end of the relevant accounting period, in line with the Republic of Lithuania Law on Financial Accounting and the Republic of Lithuania Law on Tax Administration.

Customer Data within Tenants and Workspaces (we are processor): governed by the Master DPA and by the Principal's configured retention. Family Archivist is designed for multi-generational retention by default. On termination: a 30-day data-export window in read-only mode, followed by deletion or anonymisation within a further 60 days, save for records the Principal has configured for longer retention or that law, contract, fiduciary duty, insurer, museum or cultural-institution requires to be retained.

Counterparty Portal seats and Evidence Packets: active until expiry or revocation; activity log retained for up to 24 months from seat expiry for audit purposes (longer where the underlying counterparty contract, professional-secrecy rules or cultural-institution loan terms require).

Sealed Messages and posthumous-protocol contents: retained until the configured release trigger fires or until the Principal revokes the Sealed Message. Sealed (T5) content is NEVER embedded, indexed, summarised or retrieved during retention.

Shamir k-of-n custodianship metadata: retained for the life of the Tenant. Share metadata only is retained server-side; the share itself is held by each custodian on their device, never on ML Consulting infrastructure.

RFC 3161 trusted-timestamp tokens: retained for the life of the relevant MediaItem.

Sensor and environmental-telemetry data (HomeKit / Matter): retained while the parent Storage Location exists.

Security and platform audit logs (AuditEvent): append-only and retained for the life of the Tenant; required for evidentiary integrity, signature verification and posthumous-protocol verification. Hash-chained and daily Merkle-anchored.

Backups: standard backup-rotation cycles (typically up to 30 days). Backups are not used to restore deleted accounts and are themselves overwritten on the rotation cycle.

16. Security and personal-data breaches
16.1 Article 32 measures

We implement and maintain appropriate technical and organisational measures to protect personal data — particularly T3, T4 and T5 content, Sealed Messages, Emergency File contents, posthumous-protocol contents, Shamir k-of-n custodianship metadata and minor-facing material — against unauthorised access, accidental loss, destruction, alteration or disclosure (Article 32 GDPR). These measures include: EU-resident backend hosting with encryption in transit (TLS 1.2 or higher) and at rest with per-MediaItem envelope encryption; per-tenant row-level security and signed-URL access; hybridised Ed25519 / X25519 + ML-KEM-768 signing and key encapsulation on premium tiers, with cipher-agility; RFC 3161 trusted timestamping on T4 / T5 MediaItems; Shamir k-of-n custodianship for the per-tenant KEK with principal-chosen custodians; FIDO2 hardware tokens for fiduciary and admin roles; Face ID / Touch ID biometric gating of high-consequence operations; salted-hash storage of shared-device PINs; watermarking, version-stamping, SHA-256 + BLAKE3 hashes per MediaItem, daily Merkle-anchored Tenant-scope hash-chain and provenance-hash audit-trail blocks on every Evidence Packet; an append-only AuditEvent log; time-limited, scope-restricted Counterparty Portal seats with minor-facing material redacted by default; and explicit T5-sealed-content enforcement at ingest and on every classification change.

16.2 Notification of personal-data breaches

If we become aware of a personal-data breach that is likely to result in a risk to the rights and freedoms of natural persons — and especially where it affects T3 / T4 / T5 content, Sealed Messages, Emergency File contents, posthumous-protocol contents, Shamir custodianship metadata or minor-facing material — we will notify the competent supervisory authority without undue delay and, where feasible, within 72 hours after becoming aware of the breach (Article 33 GDPR). Where the breach is likely to result in a high risk, we will notify the affected data subjects without undue delay (Article 34 GDPR). Where ML Consulting is acting as processor on behalf of a Tenant Principal, we will notify the Principal without undue delay in accordance with Article 33(2) GDPR and the Master DPA.

16.3 Reporting a suspected breach to us

If you suspect a security incident or unauthorised access, please notify us at support+familyarchivist@mlconsulting.lt without undue delay. Provide as much detail as you can; do not include passwords, Shamir share values or other secrets in the email.

17. Your rights as a data subject

Subject to the conditions set out in the GDPR, you have the rights below. These rights are not absolute and may be restricted by law.

Right of access (Article 15) — confirm whether we process personal data about you and obtain a copy together with the information set out in Article 15.

Right to rectification (Article 16) — have inaccurate personal data corrected and incomplete data completed. Family Archivist preserves conflicting evidence as sibling statements rather than merging.

Right to erasure (Article 17) — have personal data erased where the conditions in Article 17 apply. The App offers an in-app “Delete account” control. Where you appear as a depicts back-edge on a MediaItem with multiple back-edges, the MediaItem is preserved as long as one back-edge remains; the depicts back-edge to you can be removed independently.

Right to restriction of processing (Article 18) — restrict our processing while we verify the accuracy of contested data, while we deal with an objection or in the other circumstances set out in Article 18.

Right to data portability (Article 20) — where processing is based on consent or contract performance and is carried out by automated means, receive the data you provided in a structured, commonly-used and machine-readable format. The App provides in-app BagIt exports (PDF/A + JPEG + JSON-LD + README), Evidence Packets and the AuditEvent log.

Right to object (Article 21) — object to processing based on legitimate interests on grounds relating to your particular situation, and at any time to direct marketing.

Rights related to automated decision-making (Article 22) — not be subject to a decision based solely on automated processing that produces legal effects or similarly significant effects.

Right to withdraw consent (Article 7(3)) — where we rely on consent, withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.

Right to lodge a complaint (Article 77) — complain to our lead supervisory authority, the VDAI in Vilnius, or to the supervisory authority of the EU Member State where you habitually reside, where you work or where the alleged infringement took place.

17.1 How to exercise your rights

You can exercise the rights above by sending an email to support+familyarchivist@mlconsulting.lt with the words “Privacy request — Family Archivist” in the subject line.

We will respond to verifiable requests without undue delay and in any event within one month of receipt under Article 12(3) GDPR. We may extend that period by up to a further two months for complex or numerous requests. We may need to verify your identity proportionate to the request and the data concerned. The service is free of charge unless your request is manifestly unfounded or excessive (Article 12(5) GDPR).

17.2 Workspace-controlled data

For Customer Data that we process as processor on behalf of a Principal, please direct your request to the Principal (or to the Family Office / Multi-Family Office that operates the Tenant) first; if you cannot identify the Principal, contact us at support+familyarchivist@mlconsulting.lt and we will redirect your request without undue delay.

18. Regional rights notices
18.1 Lithuania — VDAI, Labour Code, Whistleblower Law and tax law

Where the Subscribing Customer operates from the Republic of Lithuania, the Republic of Lithuania Law on Legal Protection of Personal Data applies in addition to the GDPR. The Republic of Lithuania Labour Code, the Republic of Lithuania Law on the Protection of Whistleblowers, the Republic of Lithuania Law on Financial Accounting, the Republic of Lithuania Law on Tax Administration, the Republic of Lithuania Law on Inheritance, the Republic of Lithuania Civil Code and the Republic of Lithuania Law on Protection of Cultural Heritage apply independently of the App.

18.2 European Union — GDPR, AI Act, eIDAS, Whistleblower Directive, Brussels IV, EU 2019/880, AML, sanctions

Regulation (EU) 2024/1689 (the AI Act), Regulation (EU) 910/2014 (eIDAS), Directive (EU) 2019/1937 (Whistleblower Directive), EU Regulation (EU) 650/2012 (Brussels IV — succession), the Hague Convention on the Law Applicable to Trusts and on their Recognition 1985, EU Regulation (EU) 2019/880 on import of cultural goods, 5AMLD, 6AMLD, EU restrictive measures (EU Consolidated List), Articles 8 and 88 GDPR and the EU Charter of Fundamental Rights apply across the EU independently of the App.

18.3 United Kingdom

If you are in the United Kingdom, the UK General Data Protection Regulation and the UK Data Protection Act 2018 apply. The UK supervisory authority is the Information Commissioner's Office (ICO). The U.K. Dealing in Cultural Objects (Offences) Act 2003, the U.K. Cultural Property (Armed Conflicts) Act 2017, the U.K. Modern Slavery Act 2015, the U.K. Bribery Act 2010, the U.K. Money Laundering Regulations 2017 and the U.K. Trusts (Capital and Income) Act 2013 apply independently of the App.

18.4 United States — CCPA / CPRA, NAGPRA, U.S. National Stolen Property Act, U.S. firearms regulation, state probate

Authorised Users habitually resident in California may exercise the rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (CCPA / CPRA). We do not sell personal information and we do not “share” personal information for cross-context behavioural advertising. NAGPRA, the U.S. National Stolen Property Act, the Washington Conference Principles on Nazi-Confiscated Art 1998, U.S. firearms regulation and U.S. state probate / succession law apply independently of the App. Similar privacy rights are available to residents of Colorado, Connecticut, Virginia, Utah, Texas, Florida, Oregon, Washington and other US states with comprehensive privacy laws.

18.5 Other EU Member States, Switzerland, Norway, Australia and beyond

Where the Tenant operates from or holds Object Universe items in other jurisdictions, the national equivalents apply — including the French Code du patrimoine and Code du travail, the German Bundesarchivgesetz, Kulturgutschutzgesetz and Betriebsverfassungsgesetz, the Italian Codice dei beni culturali e del paesaggio and Codice civile (succession), the Spanish Ley del Patrimonio Histórico Español, the Swiss Federal Act on Data Protection (revFADP) and the Swiss Federal Act on the International Transfer of Cultural Property, the Norwegian Transparency Act 2022 (Åpenhetsloven) and the Australian Modern Slavery Act 2018.

18.6 Global Privacy Control

On the App's landing pages, we honour the Global Privacy Control signal where technically feasible, treating it as an objection to non-essential cookies and a request to opt out of any “sale” or “sharing” of personal information.

19. Children, descendants and the descendant interface

Family Archivist is designed to be used by adults as principals, family members and fiduciaries. Data subjects may include minors. The Principal is the controller of all minor personal data held in the tenant and is responsible for the lawful basis under Articles 6, 8, 9 and 88 GDPR. The descendant interface is age-aware: a 16-year-old descendant is never confronted with medical files; sealed content requires an explicit “this is painful” consent step; difficult topics are surfaced in dignified language; there are no surprise death reminders or anniversary pushes. If we become aware that we have collected personal data from a child without the appropriate authorisation, we will work with the relevant Principal to investigate and, where appropriate, erase the data. If you are a parent or guardian and believe your child has provided personal data to us, please contact us at support+familyarchivist@mlconsulting.lt.

20. Cookies and similar technologies

The Family Archivist iOS / iPadOS / watchOS App does not use analytics, advertising, profiling or marketing cookies. The App uses on-device storage (the iOS / watchOS application sandbox, the Keychain, SwiftData, UserDefaults) and CloudKit / EU-resident backend storage to deliver its features. This is not “cookies” within the meaning of the ePrivacy Directive 2002/58/EC.

The Counterparty Portal web pages, the App's landing pages on mlconsulting.lt and the Stripe billing pages (Direct Channel) use only strictly-necessary cookies (for example, a signed session cookie to honour the Counterparty Portal scope and the classification-tier / minor-facing / cultural-heritage-sensitivity metadata, or Stripe's payment-flow cookies). No analytics or advertising cookies are set on the operator surface.

21. Communications
21.1 Service messages

We send transactional service messages (security alerts, billing notices, magic-link authentication emails, support replies, Concierge & Advisor Onboarding Service event communications, material change notices) on the basis of contract performance under Article 6(1)(b) GDPR. Service messages are not commercial marketing and cannot be opted out of without ceasing to use the App.

21.2 No marketing-style nudges, streaks, anniversaries or anxiety triggers

Family Archivist explicitly prohibits marketing-style nudges, streaks, shareable moments, anniversary pushes, anxiety triggers, “time to update your cellar” marketing, “add three more bottles to unlock” gamification and any emotionally manipulative communication around death, grief, estrangement or mortality. Where we send commercial marketing emails about Family Archivist, we rely either on (i) your prior consent under Article 6(1)(a) GDPR and Article 13 of the ePrivacy Directive, or (ii) the “soft opt-in” under Article 13(2) of the ePrivacy Directive. You may opt out at any time by clicking the unsubscribe link in any marketing email, by emailing support+familyarchivist@mlconsulting.lt or by updating your preferences in your account where applicable.

21.3 Operational notifications — not authority, not adjudication, not emergency dispatch

APNs Time-Sensitive notifications, ActivityKit Live Activities, Dynamic Island indicators, WidgetKit Lock-Screen widgets and Apple Watch ClockKit complications are operational reminders configured by you in iOS Settings and in the App's Settings. They are best-effort and depend on Apple's platform services. They are NOT a national-archive accession record, NOT a notarial deed, NOT a court order, NOT a Qualified Trust Service Provider attestation, NOT a cultural-heritage restitution determination, NOT a CITES, alcohol-import, tobacco-import or firearms-licensing determination, NOT a sanctions / PEP determination, NOT a tax filing instrument, NOT a Land Registry entry, NOT an authentication / attribution / valuation determination, NOT an insurance underwriting decision and NOT a 112 / 911 / 999 dispatch. CALL 112 / 911 / 999 OR THE LOCALLY APPLICABLE PUBLIC EMERGENCY NUMBER FIRST whenever any person is in apparent danger of death or serious harm.

22. Changes to this Policy
22.1 Routine updates

We may update this Policy from time to time, for example to reflect new features, regulatory developments, sub-processor changes or operational changes. The latest version is always published on the App's App Store listing and at mlconsulting.lt/familyarchives/privacy.

22.2 Material changes

Where a change is material and adversely affects your rights or expectations, we will give reasonable advance notice — typically at least 30 days, unless a shorter period is required by law, by Apple App Store policy or to address a security risk — by in-app notice and, where we have your email address, by email. Non-material changes (typographical fixes, clarifications, contact-detail updates, sub-processor list updates) take effect on posting. Model change control: any backend AI model change is logged in the AuditEvent stream and disclosed in release notes.

22.3 Versioning

Each version of this Policy is dated and archived. The version in force at the time of the relevant processing governs that processing.

23. Contact us

For any question, request or complaint about this Policy or about how we process your personal data, please contact us using the details below.

Controller: ML Consulting MB

Address: Vilnius, Republic of Lithuania

Legal entity code: 306991112

Privacy contact (email): support+familyarchivist@mlconsulting.lt

Website: https://mlconsulting.lt

Lead supervisory authority: Valstybinė duomenų apsaugos inspekcija (VDAI), L. Sapiegos g. 17, LT-10312 Vilnius, Lithuania · +370 5 271 2804 · ada@ada.lt · vdai.lrv.lt

Document end · Version 1.0 · Effective 1 October 2026 · Family Archivist — Privacy Policy · © 2026 ML Consulting MB

© 2026. All rights reserved.